Security flaw in Xiaomi electric scooters could have deadly consequences

Xiaomi’s M365 electric scooters could be something of a deathtrap for riders, after a security firm discovered security flaws in the scooters’ Bluetooth systems.

Zimperium reported in a blog this week that the M365 electric scooters use Bluetooth via a dedicated in order to manage features like cruise control, anti-theft systems, and eco-mode. While the Bluetooth system includes a password for security, the password doesn’t actually work properly.

Because of that lack of password security, an attacker could, in theory,target a rider, and then cause the scooter to suddenly brake or accelerate. That could potentially have deadly consequences, particularly if a rider is crossing the road.

The attacker can also lock any scooter through a denial of service attack, and the attacker could also load malware that can take full control of the scooter (Zimperium responsibly chose not to disclose the malware that could do such a thing).

The company explains what the issue with the password authentication is:

“During our research, we determined the password is not being used properly as part of the authentication process with the scooter and that all commands can be executed without the password. The password is only validated on the application side, but the scooter itself doesn’t keep track of the authentication state. Therefore, we can use all of these features without the need for authentication.”

Zimperium demonstrates the proof-of-concept attack in a YouTube video, which shows researchers performing a remote lock on a scooter.

“We demonstrate a PoC locking the scooter using our malicious application that scans for nearby Xiaomi M365 scooters and disables them by using the anti-theft feature of the scooter – without authentication or the user consent.

"The app sends a crafted payload using the correct byte sequence to issue a command that will lock any nearby scooter in the distance of up to 100 metres away.”

Xiaomi responded to Zimperium and acknowledged that it is a known issue. Xiaomi says it has made the issue public. Because Xiaomi works with third parties, it has to work with them to create a fix.

However, it doesn’t look like Xiaomi will be issuing recalls, and the affected scooter is still being sold in New Zealand and worldwide. In New Zealand, the scooter retails for almost $700.

“Unfortunately, the scooter’s security still needs to be updated by Xiaomi (or any 3rd parties they work with) and cannot be fixed easily by the user,” Zimperium concludes.